The FCC just passed sweeping new rules to protect your online privacy

The FCC approved new rules to ensure broadband providers do not abuse their customers' app usage and browsing history. Here's everything you need to know about it. (Jhaan Elker/The Washington Post)

Federal officials delivered a landmark ruling in favor of online privacy Thursday, limiting how Internet providers use and sell customer data, while asserting that customers have a right to control their personal information.

Under the Federal Communications Commission’s new rules, consumers may forbid Internet providers from sharing sensitive personal information, such as app and browsing histories, mobile location data and other information generated while using the Internet.

The fresh regulations come as Internet providers race to turn their customers’ behavioral data into opportunities to sell targeted advertising. No longer satisfied with being mere conduits to the Web, these companies increasingly view the information they collect as a source of revenue.

The 3-2 party line vote by the FCC’s five commissioners, led by Chairman Tom Wheeler, a Democrat, was a major blow to some of Washington’s most politically powerful companies, including AT&T, Verizon and Comcast, which had hoped to use their privileged access to user data to build lucrative businesses by targeting advertising across multiple devices. It also was a rare win for privacy advocates, who had struggled to convince the Obama administration and its recent predecessors that the Internet age requires a major overhaul of privacy laws and regulations.

“This was probably the best day we've had on Internet privacy — commercial Internet privacy — maybe ever,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “We got a breakthrough.”

Chester and other consumer advocates predicted that Thursday’s ruling will impart momentum to long-stalled efforts to create even more far-reaching online privacy rules, as is common in other advanced nations.

Ordinary consumers are unlikely to see an immediate impact from the FCC ruling, but privacy advocates had warned that allowing Internet providers to sell the locations, browsing histories and other online data of their own customers could have taken online tracking to a troubling new level, leaving those who wanted to obscure their online activities — or even their physical movements — few options to protect their privacy.

“If this was not done, it could have really hard-wired a surveillance infrastructure into the Internet itself,” said Jay Stanley, a senior policy analyst for the ACLU.

The new rules, which could face a legal challenge from affected companies, require Internet providers to obtain their customers’ explicit consent before using or sharing sensitive data with third parties, such as marketing firms. That could mean dialogue boxes, new websites with updated privacy policies or other means of interaction with companies, which may offer discounts or other incentives to customers who voluntarily consent to online tracking.

The FCC vote also restricts trading in health data, financial information, Social Security numbers and the content of emails and other digital messages. The rules force service providers to tell consumers what data they collect and why, as well as to take steps to notify customers of data breaches.

“It’s the consumers’ information,” said Wheeler, a former cable industry lobbyist who shepherded the rules through a deeply divided FCC. “How it is used should be the consumers’ choice. not the choice of some corporate algorithm.”

With Thursday’s vote, the FCC is seeking to bring Internet providers’ conduct in line with that of traditional telephone companies that have historically obeyed strict prohibitions on the unauthorized use or sale of call data.

Verizon’s acquisitions of AOL and Yahoo are both aimed at monetizing Internet usage beyond the straightforward sale of broadband access. With greater insights into customer behavior, the company could market additional services or content to its wireless subscribers as part of a bundle, policy analysts say. That arrangement could allow Verizon to effectively earn money twice from the same subscriber — once for the data plan, and then again when the customer consumes Verizon-affiliated content.

A company such as AT&T, which may soon own Time Warner’s stable of premium content channels, could even quadruple-dip. The firm could charge not only for Internet access and subscriptions to HBO’s $15-a-month streaming video app, but also earn revenue from ads shown on a rapidly growing number of screens on its network and from selling its user data to third-party marketers.

Under the rules approved Thursday, Verizon could use a wireless subscriber’s usage history to recommend purchasing a larger mobile data plan. It could also use the customer’s information — without asking consent — to market its home Internet service, Verizon FiOS, even though FiOS is a separate product operated by a different part of the company.

But Verizon would have to allow consumers the chance to opt out of having their data shared with other Verizon businesses that do not sell communications services, such as AOL or Yahoo, according to the rules.

Internet providers and Republican FCC commissioners complained that limiting the data collection of Internet providers gave an unfair advantage to other companies such as Google and Facebook that already make billions of dollars collecting data on users and selling it to advertisers.

“There is no lawful, factual or sound policy basis to justify a discriminatory approach that treats ISPs differently from some of the largest companies in the Internet ecosystem that engage in similar practices,” said NCTA — The Internet & Television Association, an industry trade group.

But the FCC may have little jurisdiction — or appetite — for regulating the data practices of individual Web companies; Wheeler has repeatedly declined to extend new regulations to the sector.

The different expectations for Internet providers and websites will create confusion among consumers, Republican FCC officials said.

“If the FCC truly believes that these new rules are necessary to protect consumer privacy, then the government now must move forward to ensure uniform regulation of all companies in the Internet ecosystem at the new baseline the FCC has set,” said FCC Commissioner Ajit Pai, who suggested that the Federal Trade Commission could accomplish the task.

“I am pleased that the Federal Communications Commission has adopted rules that will protect the privacy of millions of broadband users,” she said in a statement. “We look forward to continuing to work with the FCC to protect the privacy of American consumers.”

Brian FungBrian Fung covers business and technology for The Washington Post. Before joining The Post, he was the technology correspondent for National Journal and an associate editor at the Atlantic. Follow

Craig TimbergCraig Timberg is a national technology reporter for The Washington Post. Since joining The Post in 1998, he has been a reporter, editor and foreign correspondent, and he contributed to The Post’s Pulitzer Prize-winning coverage of the National Security Agency. Follow